Meltdown and Spectre

Is it possible to downvote answers on this site? You are probably right that the actual risk for average users is extremely small, at present. But the comments in your first two paragraphs suggest that you are woefully ignorant about meltdown and spectre. I recommend people start at this support page and ignore the bulk of what etresoft has said here.

gpcollinz wrote:

the comments in your first two paragraphs suggest that you are woefully ignorant about meltdown and spectre. I recommend people start at this support page and ignore the bulk of what etresoft has said here.

How do you know I'm not software engineer with almost 30 years of experience? Maybe I'm one of the few people who can read and understand the technical details behind both exploits. Or maybe I'm just evil, and I understand the issue well enough to make you really worried. 👿

Did you read that Apple support page? These are both exploits that allow access to kernel space from user space. But why does Apple recommend only downloading software from the App Store? These exploits could be used by App Store software to bypass the technical restrictions that Apple imposes on the App Stores to call them "trusted".

The sad fact is that, on the Mac at least, there is little to no barrier to accessing privileged resources. In most cases, all that an app has to do is ask, and end users will happily hand over the keys to all of their devices and data, either locally or in the cloud. Don't think that iOS is any safer. Most iOS apps are just front-ends to data and servers hosted in the cloud. Do you think all of the legion servers hosted on Azure, Google, AWS, Heroku, etc. are going to be updated?

These are big security risks, but they are risks only for servers. It is simply impractical to try some difficult exploit like this on a local machine when really all you have to do is put up a password dialog. Apple has issued official security updates, so it is not like you can avoid them. It is much more efficient to use these exploits on servers that hardly ever get updated. Then, even if a particular exploit is "extremely difficult to exploit", all you need is for it to work once. Then you have all the personal, financial, credit, etc. data for a few hundred million people.

So I guess you are probably right after all. People should ignore the bulk of what I've said here. I wouldn't want a bunch of people to lose sleep worrying about the imminent and inevitable hacks of their data.

Released today (2018-01-23): Security update 2018-001 for El Capitan and Sierra (and High Sierra update 10.13.3) includes a fix related to Meltdown, among other fixes. Also updates for iOS etc, but I don't see mention of Meltdown or Spectre for those.

If that is true, how does anything ever get more than one "helpful" vote?

You will have to ask each of the users that gave those points.

• User grants helpful (5 points). OP gets to give out two of those
• User grants Answered (10 points). OP gets to give ONLY 1 of those
• Forum moderators mark a reply Apple Recommends (7 points). Moderators get to do what they wants as often as they want, although they tend to only give 1 per thread if they choose to give one out for a thread.

Hello fenriswoolf,

This issue is almost entirely media hype. This is what "security researchers" do. They find some issue, exploit it, and then tell the world the sky is falling. These things happen literally every single day. Usually, no one cares. In this case, the issue also applies to Apple devices. Anything with "Apple" is going to send media outlets into a frenzy. That, in turn, causes people to get upset and worry.

Apple is working on the actual security issues and trying to manage the hysteria. Fixing the security bug is relatively easy in comparison.

At this time, no one knows when or if Apple will a fix to older machines. Due to the nature of this exploit, the actual risk is extraordinarily small. There is really nothing to worry about.

The ONLY person that gets a vote is the one that starts a new post (OP; the original post of a thread).

In that respect, it is better to not "Dis" another reply, but rather provide a better answer that is easy for the OP to understand and maybe they will give you the points.

If that is true, how does anything ever get more than one "helpful" vote?

As for dissing, in general I agree. But I do not know the correct answer to the OP's question ("Will there be a patch for older OS X, like El Capitan?"). I just know that large chunks of etresoft's answer are very misleading in this case.

I've now provided two links to better information.

See also the answers from "John Galt" in this thread. He appears to know what he's talking about, and is making responsible, thought-out responses to questions.